Skip to content

out-of-bounds read in archive_read_format_iso9660_read_header() #949

Closed
@carnil

Description

@carnil

Hi

The following was reported downstream in Debian in https://bugs.debian.org/875966

The reproducer (compressed with gzip), base64 oob.iso.gz is

H4sIAAAAAAACA+3WsQmAQAwF0NwqTvCtHED3X0mbaxQEwUa897o0v0lCkgAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAbd2SudXbnOqWS33nSeZ0Stcr/rBwBnlwBV+x9/sPAIzDOw4AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJAVTyAwTg/wAA

tested against 5562545

ASAN_OPTIONS="detect_leaks=0" ./bsdtar -xOf ~/oob.iso
=================================================================
==13912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x5644c43511e9 bp 0x7ffc1fbd20d0 sp 0x7ffc1fbd20c8
READ of size 1 at 0x631000024800 thread T0
    #0 0x5644c43511e8 in parse_file_info libarchive/archive_read_support_format_iso9660.c:1767
    #1 0x5644c434c76f in choose_volume libarchive/archive_read_support_format_iso9660.c:1115
    #2 0x5644c434cdeb in archive_read_format_iso9660_read_header libarchive/archive_read_support_format_iso9660.c:1181
    #3 0x5644c4304d61 in _archive_read_next_header2 libarchive/archive_read.c:648
    #4 0x5644c430502f in _archive_read_next_header libarchive/archive_read.c:686
    #5 0x5644c43c938f in archive_read_next_header libarchive/archive_virtual.c:148
    #6 0x5644c42e0110 in read_archive tar/read.c:260
    #7 0x5644c42df303 in tar_mode_x tar/read.c:112
    #8 0x5644c42dc62d in main tar/bsdtar.c:866
    #9 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #10 0x5644c42d7f79 in _start (/root/libarchive/bsdtar+0x3ff79)

0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
    #0 0x7f3108af8b70 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9b70)
    #1 0x5644c431926e in file_open libarchive/archive_read_open_filename.c:358
    #2 0x5644c4303da8 in archive_read_open1 libarchive/archive_read.c:480
    #3 0x5644c43186ba in archive_read_open_filenames libarchive/archive_read_open_filename.c:152
    #4 0x5644c43182ae in archive_read_open_filename libarchive/archive_read_open_filename.c:109
    #5 0x5644c42dfed2 in read_archive tar/read.c:222
    #6 0x5644c42df303 in tar_mode_x tar/read.c:112
    #7 0x5644c42dc62d in main tar/bsdtar.c:866
    #8 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow libarchive/archive_read_support_format_iso9660.c:1767 in parse_file_info
Shadow bytes around the buggy address:
  0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13912==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions